Dolan- Gavitt, Brendan F. wrote: > I've been trying for the past few days to come up with a method for > checking a FreeBSD system to see if it is vulnerable to an issue > described by a FreeBSD security advisory in some automated way [...]
Yes, this is a problem. > [1] Checking the patchlevel as reported by uname -r. > [2] Checking the RCS version tags in the source files listed as > changed by the SA > [3] Using ident on the binaries affected to extract the RCS > tags of the source files used to compile them. > > [1] Can fail if the user updates through binary patches of the sort > offered by freebsd-update; as far as I can tell, these do not affect > the output of uname unless they directly patch the kernel. Worse, the > patchlevel reported may be up-to-date even if the userland is still > vulnerable to an issue mentioned in an SA (eg if the user does a make > buildkernel but not a make buildworld). Yes. Also, the instructions contained in advisories usually involve rebuilding only the affected part(s) of FreeBSD -- we've considered having a "kernel patch number" and "userland patch number" separately, but even this wouldn't really work. > [2] Can fail if the user does not build from source to update the > system. It would also fail if people update their src tree by applying the patches distributed on http://security.freebsd.org/, since these patches don't modify the $FreeBSD$ CVS tags. > [3] Should work in all cases (aside from custom modifications to the > sources, but there's really no way to handle this case), but I don't > know of any way to automatically determine what binary to ident based > on the list of source files given in a security advisory. Most binaries do not include $FreeBSD$ tags corresponding to all of the source files used to compile them, so this approach doesn't work very well, even if the user is updating their source tree with a method which propagates the $FreeBSD$ tags. In addition, FreeBSD Update does not include updated $FreeBSD$ tags, since the new values in those tags are generated at commit time, well after the FreeBSD Update builds are run. > I'm fairly new to FreeBSD, so I may just be missing something > here--is there a reliable way to determine if a system is patched > according to a particular security advisory? In short, no. If you have any ideas, let me know. :-) Colin Percival _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[EMAIL PROTECTED]"
